UK councils have been subjected to over 98 million cyber attacks in the past five years, an investigation by Big Brother Watch today reveals. The report exposes the extraordinary extent of cyber security threats faced by local authorities – amounting to 37 cyber attacks[1] every minute – whilst they are accumulating growing troves of sensitive and personal information about citizens.

Big Brother Watch’s report uncovers an overwhelming failure of councils to report losses and breaches of data, as well as shortcomings in staff training.

The investigation reveals that 25 councils experienced a loss or breach of data – but more than half went unreported. Although human error is the main factor in making a hack successful, the investigation found that 3 in 4 local authorities do not provide mandatory cyber security training to staff.

These findings raise concerns about the ability and commitment of local authorities to fend against cyber attacks. The report comes at a time when local authorities are collecting more personal information about citizens than ever, making them a growing target for cyber attacks.

“With councils hit by over 19 million cyber attacks every year, one would assume that they would be doing their utmost to protect citizens’ sensitive information. We are shocked to discover that the majority of councils’ data breaches go unreported and that staff often lack basic training in cyber security. Local authorities need to take urgent action and make sure they fulfil their responsibilities to protect citizens. ”

“The Big Brother Watch report reveals inconsistent approaches to safeguarding personal and sensitive data held by local authorities. It highlights the pressures faced by local authorities in a world of diminishing resources but increasing demands. It will be important that local authorities receive appropriate support moving forward.”

The report with the full breakdown of local authorities can be found here

[1] A ‘cyber attack’ is defined by the UK’s National Cyber Security Centre as ‘a malicious attempt to damage, disrupt or gain unauthorised access to computer systems, networks or devices, via cyber means

[2] A ‘cyber security incident’ is defined by the UK’s National Cyber Security Centre as ‘a breach of a system’s security policy in order to affect its integrity or availability or the unauthorised access or attempted access to a system’